cbcvebase.
CVE-2023-30013
published 2023-05-05

CVE-2023-30013: TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
25.89%
97.7th percentile
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
totolinkx5000r_firmware
totolinkx5000r_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/cstecgi.cgi
command{"command":"127.0.0.1; ls>../{{randstr}};#","num":"230","topicurl":"setTracerouteCfg"}
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TOTOLINK setTracerouteCfg Command Injection Attempt (CVE-2023-30013)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/cstecgi.cgi"; fast_pattern; http.request_body; content:"|7b 22|command|22 3a 22|"; startswith; content:"|3b|"; distance:0; content:"|3b 22 2c 22|"; distance:0; content:"topicurl|22 3a 22|setTracerouteCfg|22 7d|"; endswith; reference:url,attackerkb.com/topics/xnX3I3PEgM/cve-2023-30013; reference:cve,2023-30013; classtype:attempted-admin; sid:2048119; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_09_19, cve CVE_2023_30013, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_09_19, reviewed_at 2023_09_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
bytes
|7b 22|command|22 3a 22|
bytes
topicurl|22 3a 22|setTracerouteCfg|22 7d|
  • Exploit targets HTTP POST to /cgi-bin/cstecgi.cgi with a JSON body containing the 'command' parameter and 'topicurl':'setTracerouteCfg'; no authentication is required.
  • Successful exploitation response (body_1) contains strings 'lan_ip' and 'reserv'; a follow-up GET request to the dropped file will return '.sh' or '.cgi' filenames, confirming RCE.
  • The injection payload uses semicolons (0x3b) as shell command separators within the JSON 'command' value; the Snort rule keys on byte sequence |3b| (';') appearing after the command value start.
  • Exploitation results in full root-level access since the webserver typically runs as root on affected TOTOLINK devices.
  • ·Multiple TOTOLINK device models beyond X5000R are affected by the same vulnerability in setTracerouteCfg; detections should not be scoped to X5000R alone.
  • ·The vulnerability is unauthenticated; perimeter-only deployment of the Snort rule is insufficient — internal deployment is also recommended.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.